Millions of users of dating site Match.com are at risk of having their password stolen

Members of dating site
Match.com, which has millions of subscribers across 25
countries, are at risk of having their passwords exposed. The
website's login page has had an error active for weeks,
Ars Technica reports.

It's because the Match.com login page doesn't use HTTPS
encryption to keep its users safe, Ars Technica explains. Put as
simply as possible: HTTP is the data used by websites to transmit
information online.

Companies such as Match.com should use encryption for data to
protect passwords when users log in. On the front end of a
website, you don't see the inner workings of all this, but with
the right tools, you can — and that's where the passwords can be
uncovered if websites don't use the right security
measures.

It's been found that the Match.com website uses an unprotected
HTTP connection to send and receive data over the web. It means
that anyone can use something called a "packet analyser" to see
what's going on behind the scenes.

Ars Technica reporter Dan Goodin used a packet analyser called
Wireshark to uncover the vulnerabilities in Match.com's login
page. He writes that he entered his email address and a password
into the Match.com login page while using Wireshark, and saw his
details exposed.

So if a keen dater decided to sign into his Match.com profile to
scout for would-be lovers on a public network — a coffee shop,
airport, etc. — and someone with a packet analyser tool was on
the same network, they could steal the information needed to sign
in.

Filmmaker Scott Bryner first spotted the ease at which a third
party could get into someone's dating profile on Match.com
and said the error has been apparent since March. The website
has failed to follow basic security practises and millions of
members are said to still be in danger of having their passwords
stolen.

We've emailed Match.com for comment and will update this post if
it responds.